As I have been working with PowerShell for a while ,below are some of the common commands to work with PowerShell in Azure
In this blog I cover the following topics
- How to Install Az Module in PowerShell
- How to check the versions of Az available in PowerShell
- How to connect to Azure using PowerShell
- How to create or remove resource locks using PowerShell
- How to create a policydefinition and Assign them to a resourcegroup using PowerShell
1. Install PowerShell module in local machine
Install-Module PowerShellGet -force -Scope CurrentUser
2.Install AzureRM/Az packages : the latest recommended version is the az one
Install-Module -Name AzureRM -AllowClobber -Scope CurrentUser--older version
Install-Module -Name Az -AllowClobber -Scope CurrentUser
3 Get the list of Az versions installed in the machine
Get-InstalledModule -Name Az -AllVersions
3 connect to Azure account
Connect-AzAccount
4 Get the list of resource groups within the subscription
Get-AzResourceGroup
5 Get the list of resources within the resourcegroup
Get-AzResource -ResourceGroup <resource group name >
Implementing Resource Locks using PowerShell
Locks prevent the resources within a resource groups from being modified or deleted.There are two types of locks available .CanNotDelete and ReadOnly Locks
CanNotDelete Locks : This will not allow any user to delete any resources within the resource group .When we try to delete any resource within the group ,it will throw an error
ReadOnly Locks : This will prevent users from modifying any of the resources within the resource group .
The locks can be implemented both at the resource group level or we can set it up for individual resources within the resource group .
Now we can create locks using the portal /PowerShell/Azure CLI as well .Below are the commands which will help you get ,create and remove locks at both the resource group /or a particular resource within the resource group
For the commands Below I have created a resource group called myrg180988 which has several resources including a SQL server database and I am trying to create two type of locks one which is a ReadOnly lock at the SQL server database resource and a CanNotDelete lock at the entire resource group level .Lets see how this can be accomplished using PowerShell commands
#Step 1 : connecting to azure account -Connect-AzAccount
#Step 2 :removing the lock
Remove-AzResourceLock -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"
#Step 3 : adding a new lock at the DB level
New-AzresourceLock -LockLevel ReadOnly -LockNotes "This will prevent the locks from being modified" -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"
#Step 4 : List the locks available
Get-AzResourceLock -ResourceGroupName "myrg180988"
#Step 5 : Setting a delete lock on the entire resourcegroup
New-AzResourceLock -LockLevel CanNotDelete -LockName "mylckn180988" -ResourceGroupName "myrg180988"
#Step 6 : Listing the resourcelocks available for the resourcegroup
Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties
#Step 8 : Removing the resource level lock
Remove-AzResourceLock -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"
#Step 9 : Listing the resource locks again
Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties
#Step 10 : removing the lock at the resource group level
Remove-AzResourceLock -LockName "mylckn180988" -ResourceGroupName "myrg180988"
#Step 11 : Listing the locks again
Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties
Policy Creation /Assignment using PowerShell
to Demo this am creating a new resourcegroup and then creating a policydefinition and assign this definition to the resourcegroup .For instance I want to create a policy which will ensure all my sql servers have threat detection enabled .So if you goto the portal and check for the policies related to SQL servers you can see this policy .We need to assign this policy into our resourcegroup .for that we need to create a policy definition using AzPolicyDefinition command which captures this policy details from microsoft and then we will use a AzPolicyAssignment command to assign this policy to the resource group created
##Step 1 : Creating a resource group called mytestpolicy and assigning it into a Variable
$myrggrp=Get-AzResourceGroup -Name "mytestpolicy" -Location "South India"
echo $myrggrp
#Step 2 : Creating a Policy Definition and assigning it to a variable
$mypolicydef= Get-AzPolicyDefinition |Where-Object{$_.Properties.DisplayName -eq "Deploy Threat Detection on SQL servers"}
echo $mypolicydef
#Step 3 : Assign this policy definition to the new resource groups
New-AzPolicyAssignment -Name "audit-sql-threat-detection" -DisplayName "This will ensure the SQL servers have threat detection enabled" -Scope $myrggrp.ResourceId -PolicyDefinition $mypolicydef -Location "South India" -AssignIdentity
Note :the AssignIdentity is a property which we need to give manually when we assign policy through scripting ,which will manage the identity of the policy .when giving this AssignIdentity we need to specify a location as well
#Step 4 : To check whether the resources are compliant to the policy or not
Get-AzPolicyState -ResourceGroupName $myrggrp -PolicyAssignmentName "audit-sql-threat-detection" -Filter 'IsCompliant eq false'
This will return the Resource groups where the policy is violated
#Step 5 : delete the policyassignment
Remove-AzPolicyAssignment -Name "audit-sql-threat-detection" -Scope "/subscriptions/9c350b81-c8d7-40f1-831b-11a0ea6eda3c/resourceGroups/mytestpolicy"
Note : for removing policyassignment we should give the complete path of the resourcegroup from the subscription
#Step6 : delete the policyDefinition
Remove-AzPolicyDefinition -Name $mypolicydef.Name -SubscriptionId "9c350b81-c8d7-40f1-831b-11a0ea6eda3c"